My Website Was Blacklisted By Google and Distributing Email Spam

Image by Benson Kua licensed under Creative Commons

Image by Benson Kua licensed under Creative Commons

Being blacklisted by Google is one of the worst things that can happen to a website. The public shame coming from every visitor being stopped by the Big Red Warning page can literally destroy any online business, I am speaking from personal experience before joining the Sucuri team. When a website is blacklisted, users are unable to access the website without specifically agreeing to take on the risks. As a result, blacklisted websites lose around 95% of their traffic.

The following is a true story, based on my personal experience with a blacklisted website. This is actually how I came to know of Sucuri, and how I now work for them as their Social Media Specialist. Have no fear, nothing has been changed; these are real names and events. No additional websites have been harmed during the writing process.


Read More

Inverted WordPress Trojan

A trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, send out spam, or inject hidden links and malware. The trojan model is easy to understand: package malware inside something useful and have webmasters install it themselves.

This week I came across something that I can call an inverted trojan — malware (installed without webmaster consent) that added useful features to WordPress.

Read More

Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

Website Malware - Curious HTACCESS Payload

The curious aspect about it is the usage of a not so common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:


RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]

It’s attributing the TIME_SEC (the “seconds” part of current time) to the cNL variable and the payload to VWM. It causes the malware to redirect the visitor to a different page, depending on the time of the day.

For example, if it is 9:00:01 (ending in the “01” second), it will redirect the visitor to a specific campaign ID (7522). If it is 9:00:02 (ending in the “02” second), it will redirect to a different campaign ID, and so on until it reaches all 60 seconds.

And when you mix that with all other conditions that this .htaccess malware has:

  1. It checks if the referer came from Google, Facebook, Twitter and a few other popular sites.
  2. It checks if the operating system is a Mac, Windows, iPhone, iPad, iPod or Android
  3. It checks if the cookie cNL is not set (to prevent displaying the malware more than once to the same person.
  4. It checks the time of the request to build a custom URL depending on the second.

It becomes very hard to be detected and even hard to get all malicious URL’s identified.

Very sneaky…

Mysterious Zencart Redirects Leverage HTTP Headers

About a week ago we got an interesting Zencart case. Being that we don’t often write about Zencart we figured it’d be good time to share the case and details on what we found.

The Scenario

The site was redirecting to “www .promgirl .de” – I know, not very unique.

Additionally, it was only affecting “www” instances. All “non-www” instances were working correctly with no redirects. We also noticed that it would only trigger with specific user Agents and Referrers. This shouldn’t be new as we’ve talked at length about conditional malware.

Sucuri-Zencart-Analysis

Read More

Fake jQuery Website Serving Redirection Malware

This just in, hot off the press, careful with the jQuery libraries you’re using on your websites.

We received word from @chris_olbekson via Twitter about some hacks being reported on the WordPress forums:

chris_olbekson

Read More